This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Method to verify results based on a graph generated in wireshark

0

I want to write a script where I need to verify the final result (pass/fail) based on a graph generated in wireshark.

  • Message rate is to be configured for e.g., 25000 and the same is to be verified from graphs.
  • In wireshark, under "Statistics" menu, "IO Graph" is there. There I need to give different filters for "Graph 1", "Graph 2" and "Graph 3". Three graphs with different colors will be generated.
  • I need to verify that the rate is exactly same (here 25000) what was configured.

Attaching reference screenshot :-

alt text

To write pcap before sending messages

sudo /usr/sbin/tethereal -i eth2 -q -w Wm_FUN_010.pcap -R diameter

To read pcap after message exchange is done

sudo /usr/sbin/tethereal -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2 && diameter.cmd.code == 265 && diameter.flags.request == 1"

As of now, I know only Graph option to verify the rate, but I am looking for an automated script solution. Is there a way I can do this with Graph or any other method?

I searched for reference but couldn't get any information on this. It will be really helpful if someone can suggest a method or reference to achieve above requirement.

I tried following command which gives count based on time interval, but what I need is, count for a particular protocol message which is 6 for my case.

-bash-3.2$ tshark -q -nr rad_fun_010.pcap -t ad -z io,stat,1,"COUNT(frame.len)frame.len"

=================================================================== IO Statistics Interval: 1.000 secs Column #0: COUNT(frame.len)frame.len | Column #0 Time | COUNT 000.000-001.000 2 001.000-002.000 0 002.000-003.000 9 003.000-004.000 0 004.000-005.000 0 005.000-006.000 0 006.000-007.000 0 007.000-008.000 2 ===============================================

With “tshark io” related command, getting count might be possible, but couldn’t get enough information on this. Can someone throw some light on how to achieve this?

asked 06 Oct ‘13, 10:49

npatel's gravatar image

npatel
11336
accept rate: 0%

edited 15 Sep ‘14, 22:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

1

You can use tshark's -z io,stat option. That command can take display filters as well to generate those types of stats as output which you can then return to the scripted process you're referring to.

Depending on the setup, another way is to use the 'tshark -T fields -e (display filter) -e (display filter)' command to print out columns that you want and pipe them into awk scripts (for example) to generate all the stats you want from them that way. diameter.resp_time would be one example value that you can make use of to calculate min/max/average Diameter response times.

answered 06 Oct '13, 21:56

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

@Quadratic, Thanks for your response. Will check and get back if there is any issue.

(07 Oct '13, 00:26) npatel

1

Another option with tshark would be:

tshark -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2 && diameter.cmd.code == 265 && diameter.flags.request == 1" -T fields -e frame.time_relative -e frame.number -e ip.src -e ip.dst -E header=y -E separator=;

or even

tshark -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2" -T fields -e frame.time_relative -e frame.number -e ip.src -e ip.dst -e diameter.cmd.code -E header=y -E separator=;

Hint: You might need a more recent version of tshark than the tethereal you are currently using ;-)

Take the output of that command and feed it into a spreadsheet or a script and do the analysis yourself. You'll get the time, the frame number (if needed) and the IP addresses (to distinguish different conversations). With that information you can easily calculate the 'message rate'.

Regards
Kurt

answered 07 Oct '13, 07:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Oct '13, 01:54

I tried following command which gives count based on time interval, but what I need is, count for a particular protocol message which is 6 for my case.

Did you try my tshark command?

(09 Oct '13, 01:53) Kurt Knochner ♦